vadimpiven · vadimpiven · Jan 24, 2026 · Jan 24, 2026 · Jan 24, 2026
diff --git a/.github/workflows/regular.yaml b/.github/workflows/regular.yaml
@@ -31,7 +31,7 @@ jobs:
       mise-version: "${{ steps.init-workflow.outputs.mise-version }}"
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8" # v6.0.1
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
         with:
           ref: "${{ github.ref }}"
           fetch-depth: 1
@@ -54,7 +54,7 @@ jobs:
     runs-on: "${{ matrix.os }}"
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8" # v6.0.1
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
         with:
           ref: "${{ github.ref }}"
           fetch-depth: 1
@@ -88,7 +88,7 @@ jobs:
     runs-on: "ubuntu-latest"
     steps:
       - name: "Checkout repository"
-        uses: "actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8" # v6.0.1
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
         with:
           ref: "${{ github.ref }}"
           fetch-depth: 1
@@ -108,7 +108,7 @@ jobs:
     runs-on: "ubuntu-latest"
     steps:
       - name: "Checkout repository"
-        uses: "actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8" # v6.0.1
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
         with:
           ref: "${{ github.ref }}"
           fetch-depth: 1
@@ -119,6 +119,9 @@ jobs:
           trivy-config: "trivy.yaml"
           scan-type: "fs"
           scan-ref: "."
+          format: "sarif"
+          output: "trivy-results.sarif"
+          ignore-unfixed: true
       - name: "Upload Trivy scan results to GitHub Security tab"
         uses: "github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89" # v4.31.10
         with:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -23,7 +23,7 @@ jobs:
       mise-version: "${{ steps.init-workflow.outputs.mise-version }}"
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8" # v6.0.1
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
         with:
           ref: "${{ github.ref }}"
           fetch-depth: 1
@@ -47,7 +47,7 @@ jobs:
     runs-on: "${{ matrix.os }}"
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8" # v6.0.1
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
         with:
           ref: "${{ github.ref }}"
           fetch-depth: 1
@@ -102,7 +102,7 @@ jobs:
     runs-on: "ubuntu-latest"
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8" # v6.0.1
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
         with:
           ref: "${{ github.ref }}"
           fetch-depth: 1
@@ -145,7 +145,7 @@ jobs:
     runs-on: "ubuntu-latest"
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8" # v6.0.1
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
         with:
           ref: "${{ github.ref }}"
           fetch-depth: 1

diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1.20@sha256:26147acbda4f14c5add9946e2fd2ed543fc402884fd75146bd342a7f6271dc1d
 # <https://quay.io/repository/pypa/manylinux_2_28?tab=tags>
-FROM quay.io/pypa/manylinux_2_28@sha256:f26d80d4e483823df796cc3f5a1818a72f16ccbb67d55b437db70dffa142c9ab
+FROM quay.io/pypa/manylinux_2_28@sha256:553fe81d74eb4f2be0901928c4c3af50ca6562b75741f45911770a00630650f0
 
 ARG TARGETARCH
 ARG USERNAME=runner

diff --git a/mise.toml b/mise.toml
@@ -417,8 +417,8 @@ sources = ["{.github,packages,scripts}/**/*.{rs,ts,js,mts,mjs,py,toml,json,yaml,
 [tasks."check:trivy-fs"]
 description = "Security scan filesystem with trivy"
 hide = true
-depends = ["setup:pnpm"]
-run = "trivy fs . --include-dev-deps --format table"
+depends = ["setup"]
+run = "trivy fs . --format table --ignore-unfixed"
 sources = ["*.{toml,lock,json,yaml,yml}", "packages/**/*.{toml,json}", "Dockerfile"]
 
 [tasks."fix:trivy-fs"]

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,7 @@
 [project]
 name = "workspace"
 version = "0.0.0"
+dependencies = []
 
 [tool.uv]
 required-version = ">=0.9.21"
@@ -12,9 +13,9 @@ members = ["packages/node/tests/mitmproxy"]
 [dependency-groups]
 dev = [
     "mitmproxy==12.2.1 ; sys_platform != 'win32'",
-    "pyrefly==0.48.2",
+    "pyrefly==0.49.0",
     "ruff==0.14.13",
-    "semgrep==1.148.0 ; sys_platform != 'win32'",
+    "semgrep==1.149.0 ; sys_platform != 'win32'",
     "zizmor==1.22.0 ; sys_platform != 'win32'",
 ]
 

diff --git a/trivy.yaml b/trivy.yaml
@@ -16,15 +16,12 @@ scanners:
   - misconfig
   - secret
 # Report options
-format: sarif
-output: trivy-results.sarif
 severity:
   - UNKNOWN
   - LOW
   - MEDIUM
   - HIGH
   - CRITICAL
-ignore-unfixed: true
 exit-code: 1
 # Cache options
 cache-dir: .cache/shared/trivy